Exploiting (?) lv2

September 19, 2012

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

  1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
  2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2’s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

About these ads

9 Responses to “Exploiting (?) lv2”

  1. zecoxao Says:

    :) nice find

  2. int0h Says:

    M$ CRT overwrites freed heap buffer only when application is compiled in DEBUG mode no idea about linux and ps3 especially but such heap cleanups is huge performance impact especially if you going to free large buffer.


  3. (JUST SAYIN)Do you want a advice?……..just release somethin (BIG) or say something (HELPFUL FOR THE SCENE) when the new slim PS3 comes out….

  4. Duke Says:

    Might be obvious but:
    Can’t you use mprotect() on this memory pages before it’s freed and write a signal handler (cause trying to write on it will trigger a SEGV).

  5. Martell Says:

    First things first.
    What is the system trying to do at the time of the stack overflow?
    Is it called over and over or does it just occur once at a certain time?

    Some background info like this would be a good place for the rest of us to start.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.